Web Server Security Guidelines

Overview

Web servers are often the target of numerous exploit attempts. When improperly secured they introduce a significant risk to the networked computing environment at Carnegie Mellon. Furthermore, Web servers at Carnegie Mellon are often administered by individuals who have minimal experience with Web server administration. This group has indicated the need for some basic steps to follow to secure a Web server.

Applies to

These guidelines apply to all individuals responsible for Web server administration at Carnegie Mellon.

Purpose of the Guideline

The purpose of this guideline is to ensure that basic security safeguards are utilized. Failure to adhere to simple best practices when administering a Web server can result in security incidents.

Definition/Clarification

Least Privilege: The principle of least privilege requires that a user be given no more privilege than necessary to perform a job.

SSL/TLS: Secure Sockets Layer and Transport Layer Security are protocols that provide server and client authentication and encryption of communications.

Guideline Statement

Computing Services requests that Web administrators adhere to steps outlined in this guideline in an effort to reduce the success of various exploit attempts and to protect against the simplest vulnerabilities inherent to Web servers.

The majority of the content within this guideline was derived from NIST SP 800-95 Guide to Secure Web Services.

User Responsibilities and Procedures

Patch and/or upgrade operating system on routine basis. May also need to be done as needed if critical exploit exist provided patch and/or workaround is available.

Administrators need to monitor appropriate mailing lists and/or web sites for security-related announcements. Often, this means subscribing to the appropriate “announce” mailing list for any network-accessible software that has been installed.

Configure the operating system to meet system best practices. This includes but is not limited to the following:

Web servers should be configured to prohibit access to files that may not be intended for public consumption. In particular, do not make arbitrary directories in AFS publicly available. For additional considerations refer to relevant privacy regulations such as FERPA.

Create log files for future investigations and/or recovery purposes.

Establish different log file names for various virtual Web sites that are part of the same single physical Web server

Ensure mechanisms are in place to prevent log files from filling up the hard drive

Separate Web server content and related subdirectories from operating system and application directories.

Perform regular backups of Web content and occasional backups of operating system and application configurations.

Employ Web authentication and encryption technologies such as SSL/TLS based upon the nature of Web server data (e.g. sensitive, private, confidential…).

Establish internal change control methodology that includes but is not limited to the following:

Notification of change (includes description, contact person, date, and time of change etc.) to all people potentially impacted by the change, an outage, and/or other items related to the change (ex: Computing Services Help Center so they may address any calls that may come in as a result of the change)

Test change(s) on a test system if available before making the change in the production environment

Backup relevant information and information being affected by the change prior to implementing the change

Document all changes being made to the system, application, or web content and establish revision control mechanisms